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VERIFICATION OF CORRECT EXPONENTIATION OR OTHER OPERATIONS 
IN CRYPTOGRAPHIC APPLICATIONS 

Field of the Invention 

The invention relates generally to cryptographic techniques which may be implemented in 
computer networks or other types of electronic systems and devices, and more particularly to 
techniques for verifying correct exponentiation or other operations in such systems and devices. 

Background of the Invention 

Exponentiation is a fundamental operation in many cryptographic applications, such as multi- 
party public key cryptography protocols. In such applications, there is often a need for the parties 
involved to prove to each other that the correct computation was performed, e.g., to prove that the 
intended exponentiation in relation to some public key was performed. However, in many 
multi-party protocols, whose robustness may depend on these types of proofs, it is not known 
beforehand whether the relation holds or not. Therefore, if the proof for proving a correct 
exponentiation requires that the computation indeed was correctly performed, then such a protocol 
may leak important information when given invalid inputs. This in turn may endanger protocol 
properties, such as privacy, as it potentially allows attacks on the protocol. 

An example of a protocol which may leak information when given invalid inputs is based 
on the techniques described in D. Chaum and H. Van Antwerpen, "Undeniable Signatures," 
Advances in Cryptology-Proceedings of Crypto '89, pp. 212-216, which attempt to determine 
whether a given quadruple (g,y 9 m, s) satisfies the relation log g y = log m s in the context of verifying 
the validity of undeniable signatures. These techniques have been extended in D. Chaum, "Zero- 
Knowledge Undeniable Signatures," Eurocrypt, '90, pp. 458-464, to a signature validity verification 
protocol which is zero-knowledge for valid inputs. However, it is assumed in this protocol that the 
prover knows whether the signature is valid or not. This is a serious deficiency of the protocol, since 
by running the zero-knowledge proof for an invalid input, the prover in fact leaks information 
regarding the corresponding valid signature. As a result, for invalid inputs, a standard distinguishing 
protocol, e.g., similar to a protocol suitable for proving graph non-isomorphism, must be used. T.P. 
Pedersen, "Distributed Provers with Applications to Undeniable Signatures," Advances in 
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Cryptology-Proceedings of EuroCrypt '91, pp. 221-242, discloses how to distribute the zero- 
knowledge method for proving validity of undeniable signatures, but still under the above-noted 
problematic assumption that the prover already knows whether the input is a valid undeniable 
signature. 

It is therefore desirable to design protocols that do not leak any information whether given 
valid or invalid inputs. Since the very aim of the protocol may be to determine whether the input 
is valid or not, the protocol should preferably comprise two sub-protocols, one for valid inputs and 
the other for invalid inputs, such that the behavior of a prover is identical for both sub-protocols. 
A protocol described in A. Fujioka et al., "Interactive Bi-Proof Systems and Undeniable Signature 
Techniques," Eurocrypt '91, pp. 243-256 is symmetric in the sense that it contains two identical 
portions for the prover, one for proving validity of undeniable signatures, the other for proving 
invalidity. It is not clear, however, how to distribute the protocol. 

Such a protocol is referred to as "oblivious," since it does not require the protocol 
participants to know beforehand whether the input is of one type or another in order to correctly 
perform the computation. The term "oblivious" was coined by M. Jakobsson and M, Yung, 
"Proving Without Knowing: On Oblivious, Agnostic and Blindfolded Provers," Crypto ' 96, pp. 1 86- 
200, in proposing a multi-party protocol for determining whether a given exponentiation was 
correctly performed. Their protocol allows the distribution of the prover in a setting in which the 
prover cannot learn whether the input is valid or not. However, this protocol generally requires 
computation and communication operations that are logarithmic in the length of the security 
parameter, e.g., requires 0(k) rounds and exponentiations in order to reduce the failure probability 
to 0(2'% which may be a limiting consideration in certain applications. 

Summary of the Invention 

The invention provides improved multi-party verification protocols which require 
significantly reduced computation and communication operations relative to the above-described 
conventional techniques. In an illustrative embodiment, the correctness of an exponentiation 
operation associated with a multi-party cryptographic protocol is verified using first and second 
proofs based on a randomized instance of the operation. A prover generates signals corresponding 
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to information representative of the first and second proofs based on the randomized instance of the 
exponentiation operation. The first proof is a so-called "blinded" proof that the exponentiation 
operation has been correctly performed, configured so as to prevent leaks of information relating to 
the cryptographic protocol. The second proof is a proof that the first proof has been correctly 
performed by the prover, and is referred to herein as a "meta-proof." The proof information signals 
are transmitted from the prover to a verifier, and the verifier uses the signals to determine if the 
exponentiation operation associated with the cryptographic protocol is valid. For example, the 
verifier in an illustrative embodiment generates an indication that the operation was correctly 
performed if the first and second proofs are acceptable to the verifier, generates an indication that 
the operation was not correctly performed if the first proof is not acceptable but the second proof is 
acceptable, and generates an indication of a cheating prover if the second proof is not acceptable. 
The verification protocol can be used in applications in which the prover is distributed across a 
number of different machines. 

The verification protocols of the illustrative embodiments of the invention are correct, i.e., 
all the computations can be performed by the participants involved; sound, i.e., the decision made 
by the verifier corresponds to the true correctness with an overwhelming probability; and 
minimum-knowledge, i.e., the protocols leak no information, other than the desired verification 
result, and real protocol transcripts cannot be distinguished from simulated protocol transcripts by 
a polynomial-time distinguisher. Moreover, the protocols are "oblivious," i.e., the prover executes 
the same protocol for valid inputs as for invalid inputs. 

In a non-distributed interactive version of the invention, the prover is given a quadruple (g, 
y 9 m 9 s) 9 and needs to prove to the verifier that log g y = log m s. The prover knows the secret key x 9 
i.e., the discrete logarithm ofy with respect to g. This version of the verification protocol includes 
the following steps: the prover selecting a number a uniformly at random; the prover generating a 
first signal corresponding to information representative of the first proof as a triple 

(s 9 a 9 m) = (s a .m™ 9 m a ) ; the verifier accepting the first proof if and only if s = a; the prover 
generating a second signal corresponding to information representative of the second proof as an 

indication that log^ m = log^ s and that log y = log^ a; the verifier accepting the second 
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proof if and only if both equations are valid; and the verifier outputting an indication as to the 
validity of the exponentiation operation. A distributed version of this illustrative protocol may be 
generated from the non-distributed version in a straightforward manner. 

In accordance with another aspect of the invention, a non-interactive version of the above- 
5 noted protocol may be implemented by the prover using the following steps: (i) applying a key 
transformation protocol which takes an input of the form (g, y, m, s) 9 for which log g y = log m s, and 
produces apair (G, 7) wherein G is a generator and 7is apublic key, such thatX= log G 7 can only 
be computed if log g y = log m s; and (ii) generating a digital signature using the pair (G, 7). The 
verifier then accepts the second proof as valid if and only if the corresponding digital signature is 
10 valid. In a related variant using a secret key transformation protocol, the key transformation 
protocol takes an input of the form (g, y 9 m, s, x) for which log g y = log m s = x and generates the 
triple (G, 7, X) wherein X is a secret key, such that 7= G x , and the digital signature is generated 
m using the triple (G, 7, X). Again, distributed versions of these illustrative protocols may be generated 
i ?! from the corresponding non-distributed versions in a straightforward manner. It should also be noted 
*i \ 5 that the key transformation techniques of the invention may be used independently of the verification 
SI protocols. 

i»i The present invention provides substantial advantages over conventional techniques. More 

if| particularly, the use of first and second proofs in the verification protocols of the invention 
CI significantly improves computation and communication efficiency relative to conventional protocols. 
^20 In addition, the invention has applicability to many different types of existing multi-party protocols. 
For example, the invention can be applied to a wide variety of different types of cryptographic 
applications, such as key generation or escrow, message authentication, digital signatures, secure 
electronic commerce, etc. 

25 Brief Description of the Drawing s 

FIG. 1 shows an illustrative embodiment of a data processing system in which exponentiation 
verification in accordance with the invention may be utilized. 

FIG. 2 is a flow diagram illustrating an exponentiation verification process of the invention. 
FIG. 3 is a flow diagram illustrating a first proof portion of the FIG. 2 process. 
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FIG. 4 is a flow diagram illustrating a second proof portion of the FIG. 2 process. 
FIG. 5 is a flow diagram illustrating a decision portion of the FIG. 2 process. 

Detailed Description of the Invention 

The present invention will be illustrated below in conjunction with an exemplary system in 
which cryptographic techniques are implemented over the Internet or other type of communication 
network. It should be understood, however, that the invention is more generally applicable to any 
type of electronic system or device application in which it is desirable to provide verification of 
correct exponentiation without one or more of the problems associated with conventional techniques. 
For example, although well-suited for use with communications over the Internet or other computer 
networks, the invention can also be applied to numerous other secure transaction applications, 
including applications based on smart cards or other electronic devices. 

FIG. 1 shows an exemplary system 1 0 in which exponentiation verification techniques may 
be implemented in accordance with the invention. The system 1 0 includes a prover 12 and a verifier 
14, both coupled to a network 16. Also coupled to the network 16 are a number of additional 
terminals 18-*, i = 1, 2, ... N, representing, e.g., additional client and/or server computers which 
communicate over the network 16. The prover 12 and verifier 14 include processors 20A, 20B 
coupled to memories 22A, 22B, respectively. One or more of the terminals 1 8-/ may be configured 
in a manner similar to prover 12 and verifier 14. 

One or more of the elements 12, 14 and 18-z of system 10 may thus be implemented as a 
personal computer, a mainframe computer, a computer workstation, a smart card in conjunction with 
a card reader, or any other type of digital data processor as well as various portions or combinations 
thereof. The processors 20A and 20B may each represent a microprocessor, a central processing 
unit, an application-specific integrated circuit (ASIC) or other suitable processing circuitry. The 
memories 22A and 22B may be electronic, magnetic or optical memories, as well as portions or 
combinations of these and other types of memories. The network 16 may be a local area network, 
a metropolitan area network, a wide area network, a global data communications network such as 
the Internet, a private "intranet" network or any other suitable data communication medium. The 
users 12, 14 execute software programs in accordance with the invention in order to provide secure 



M. Jakobsson 15 

transactions in a manner to be described in conjunction with FIGS. 2 through 5 below. The 
invention may be embodied in whole or in part in one or more software programs stored in one or 
more of the memories 22A, 22B, or in one or more programs stored on other computer-readable 
media associated with the users 12, 14 or the system 10. 

The present invention provides a technique referred to as a "meta-proof that can be used to 
verify correct exponentiation. A meta-proof in accordance with the invention generally comprises 
the following two portions: (a) a so-called "blinded" first proof which is a proof of the statement 
whose aim it is to prove or disprove, e.g., "the exponentiation was correctly performed/' and (b) a 
second proof which is a proof that the first proof was correctly performed. The first proof is blinded 
to avoid leaks of information; the second proof is employed to maintain soundness in the presence 
of the blinding. If both proofs succeed, the verifier can conclude that the exponentiation was 
correctly performed. On the other hand, if the first proof fails and the second proof succeeds, this 
means that the exponentiation was not correctly performed. An oblivious and computationally 
zero-knowledge meta-proof for verification of valid exponentiation will be described in detail below 
in conjunction with FIGS. 2 through 5. 

A first illustrative embodiment of the invention is interactive and based on standard protocols 
for verification of undeniable signatures. A second illustrative embodiment is non-interactive, and 
may be based on any discrete log based signature technique of a common format. The non- 
interactive embodiment is both a signature and a proof of equality of discrete logs, and is thus 
referred to as a discrete log equality (DLEQ) signature. The DLEQ signature of the present 
invention uses a transformation that takes a quadruple (g,y, m, s) as input, and generates the pair (G, 
Y) such that G is a generator and 7 is a public key. A related transformation in accordance with the 
invention takes the quintuple (g, y, m 9 s 9 x) for which log g y = log m s = x and generates the triple (G, 
7, X), such that 7 = G x . Based on a random oracle assumption, it can be shown that it is only 
possible to determine the secret key X if log g y = log m s. 

Using these new parameters, the prover can use any standard discrete log-based signature 
technique to convince the verifier that the relationship between the discrete logarithms holds. This 
is done simply by the prover generating a signature on some message using G as a generator, 7 as 
a public key, and X as the corresponding secret key. This signature is given to the verifier. If the 
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signature is valid, the verifier will conclude that log g y = log m s, since the prover with overwhelming 
probability must have known X. The method is demonstrated below using well-known Schnorr 
signatures, as described in, e.g., CP. Schnorr, "Efficient Signature Generation for Smart Cards," 
Advances of Cryptology, Proceedings of Crypto '98, pp. 239-252, 1998. The input elements are 
applied to a generator and to public and secret keys that raise different factors of a product to 
different powers in order to "lock together" different input components. It can be shown that it is 
only possible to determine the secret key corresponding to these new aggregate components if the 
input components have the same discrete log relationship. 

In the illustrative embodiments, it is assumed that a quadruple (g, y 9 m 9 s) is given to a set of 
participants that share the secret key x corresponding to the public key y = g x . Unless otherwise 
stated, it is assumed for the following description that all computation is modulo p 9 where pis a large 
prime such that p = Iq +1 for an integer / and another large prime q. It is the goal of these 
participants to determine whether or not s = m x holds. For simplicity of the protocol description it 
is also assumed that jc is shared using a (k, n) threshold technique, as described in, e.g., A. Shamir, 
"How to Share a Secret," Communications of the ACM, Vol. 22, pp. 612-613, 1979. 

A computational assumption made in the illustrative embodiments is that a random quadruple 
(g,f? 9 m 9 rrf) cannot be distinguished from (g, m 9 R) for a random R = m\ unless x is known. This 
assumption is known in the art as the "Decision Diffie-Hellman" assumption. A quadruple (g 9 y, m 9 
s) is in the language of valid quadruples if log g y = log m s. This is with respect to a given pair of 
prime moduli (p, q) of the assumed format. The invention in the illustrative embodiments provides 
protocols for deciding language membership of given quadruples (g, y, m 9 s). 

As will be described in greater detail below, the protocols of the illustrative embodiments 
of the invention are correct, i.e., all the computations can be performed by the participants involved; 
sound, i.e., the decision made corresponds to the true language membership with an overwhelming 
probability; and minimum-knowledge, i.e., the protocols leak no information, other than the desired 
one bit result, and real protocol transcripts cannot be distinguished from simulated protocol 
transcripts by a polynomial-time distinguishes Moreover, the protocols are "oblivious," i.e., the 
prover executes the same protocol for input quadruples in the language as for those that are not. In 
other words, the prover executes the same protocol for valid inputs as for invalid inputs. 
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The invention will first be described in a non-distributed version for simplicity of notation. 
It will be apparent to those skilled in the art that this is a setting in which oblivious protocols are not 
needed for security reasons, since the prover can decide whether to use the protocol for language 
membership or non-membership before the start of the protocol. However, it will also be shown 
5 below that the non-distributed version of the protocol can be easily converted to a distributed 
version. In the non-distributed version of the protocol, the prover is given a quadruple (g 9 y 9 m 9 s), 
and needs to determine, and prove, whether log g y = log m s. It is assumed that the prover knows the 
secret key x 9 i.e., the discrete logarithm ofy with respect to g. 

The flow diagrams in FIGS. 2 through 5 illustrate this version of the protocol Steps 50, 52, 
10 54 and 56 correspond to setup, first proof, second proof and decision portions, respectively, of the 
protocol. Steps 50, 52, and 54 are carried out by the prover, e.g., prover 12 of FIG. 1, and step 56 
I by the verifier, e.g., verifier 14 of FIG. 1 . Step 52 is shown in greater detail in FIG. 3 and includes 
I steps 60 and 62. Step 54 is shown in greater detail in FIG. 4. Step 56 is shown in greater detail in 
1 FIG. 5 and includes steps 70 and 72. 

;1 5 The non-distributed version of the protocol is as follows: 

1 1 . Setup (Step 50). The prover selects a number a e u Z q uniformly at random. 

1 2. First proof (Step 52). The prover in step 60 of FIG. 3 generates a randomized 

J instance from the random number a, an instance (m 9 s) and the secret key x. In step 62, the prover 
1 generates and outputs information corresponding to a first proof, namely the triple 

*20 (s,7f 9 m) = (s a ,m ax ,m a ) . In step 70 of FIG. 5, the verifier accepts this first proof if and only if 

1= a. 

3. Second proof (Step 54), The prover, using the randomized instance, proves that 

l 0 g_. m - log- s and that log g y = log w a, as indicated in FIG. 4. In step 72 of FIG. 5, the 

verifier accepts this second proof if and only if both equations are found to hold. 
25 4. Decision (Step 56). The decision portion of the process includes steps 70 and 72 as 

previously described. As shown in FIG. 5, the verifier outputs "exponentiation valid" if it accepted 
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both the first and second proofs. The verifier outputs "exponentiation invalid" if it rejected the first 
proof and accepted the second proof. Otherwise, it outputs "cheating prover." 

Interactive versions of the above protocol can utilize, e.g., a proof protocol for undeniable 
signatures to prove equality of discrete logs, as described in the above-cited D. Chaum references. 
Moreover, a simple and efficient non-interactive protocol can also be constructed, using any 
common discrete-log based protocol. 

The non-interactive proof protocol for performing the proofs of equality of discrete logs 
needed in the previous protocol will now be described. This non-interactive proof protocol is 
described in two steps. First, a key transformation protocol is described. The key transformation 
protocol takes an input of the form (g, y, m, s) 9 for which log g y = log m s, and produces a pair (G, 
7), such that X= log G Yean only be computed if log g y = log m s, and this discrete log is known. 
Second, it is shown how these new parameters can be used in standard signature techniques of a 
common format, e.g., Schnorr signatures. Here, the DLEQ proof is said to succeed if and only if the 
corresponding signature is valid. Again, the non-distributed version of the protocol is considered 
in order to simplify the notation, and the modifications needed to obtain the distributed version are 
straightforward and will be apparent to those of ordinary skill in the art. 

In a public key transformation implementation of the DLEQ signature technique of the 
invention, the transformation algorithm takes as input the quadruple (g,y 9 m,s). Two randomizing 
coefficients are computed. These are e y = hash (g 9 y 9 m 9 s,j), for j e {1, 2}, where hash is an 
arbitrary hash function that can be modeled by, e.g., a random oracle. The transformation then 

pairwise "locks together" the components of the input in the following manner: G = g 6{ rrf 2 , and 

Y = y e i s €l . The transformation algorithm outputs the pair (G, Y) 9 where G is denoted the new 

generator and 7 is denoted the new public key. 

A similar transformation implementation of the DLEQ signature technique of the invention 
may be used for secret keys. This is much more straightforward, however, as it simply involves 
setting the output secret key Xto the input secret key x 9 or X= x . The transformation in this case 
outputs the triplet (G, 7, X) 9 where G is the new generator, 7 is the new public key, andXis the new 
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secret key. This new generator, public key and secret key can be used in a standard signature 
technique. For example, standard Schnorr signatures can be generated as follows. The prover 
selects a value k e Z g uniformly at random. It computes r = , and the value t = k- cx mod q, 
where c = hash (p , r), for a message ju to be signed, and x is the secret key of the signer, with a 
corresponding public key y = g*. The prover outputs (r, 0 as a signature on m. The signature is 
verified by checking that r = y c g l for c = /zas/z (//, r). This Schnorr signature technique can be 
directly used to prove the equality of discrete logarithms by using (G, Y, X) instead of (g, y, x). The 
message ju is irrelevant in this setting. Similarly, any other signature technique with this general 
structure may be employed. 

The above-described oblivious protocol for verifying correct exponentiation is computational 
minimum-knowledge, i.e., given a bit corresponding to the desired output of the verifier 
"exponentiation valid" or "exponentiation invalid," there is a simulator whose transcripts cannot be 
distinguished by a polynomial-time verifier from those generated by a real prover. In other words, 
given an oracle for language membership, it is possible in polynomial-time to simulate transcripts 
that cannot be distinguished with a non-negligible probability by any polynomial-time participant 
from real protocol transcripts for the corresponding proof. 

The oblivious protocol is correct, i.e., all computation can be performed by the participants, 
and the expected output is produced if all the participants are honest. 

The oblivious protocol is sound, i.e., it is infeasible for a dishonest prover to make the 
verifier output "exponentiation valid" for an input quadruple not in the language, or "exponentiation 
invalid" for an input quadruple in the language. In other words, if the verifier outputs 
"exponentiation valid," then the exponentiation must be valid with an overwhelming probability; 
likewise, if he outputs "exponentiation invalid," the exponentiation must be invalid with an 
overwhelming probability. This holds since the second-order proof, whose soundness can be 
demonstrated, prevents the prover from cheating in the first-order proof. 

The DLEQ signature protocol is correct, i.e., when used in conjunction with a sound and 
correct signature technique, the resulting signature will be valid with an overwhelming probability 
if the input (g, y, m 9 s) to the key transformation protocol is such that log g y = log m s. In other 

10 
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words, if the generated keys are used in a signature technique in the manner shown, then the 
signature proof succeeds if the input parameters to the transformation protocol have the same 
pairwise discrete log relation. 

The transformation protocol is sound, i.e., when used in conjunction with a sound and correct 
5 signature technique, the resulting signature will be valid only if the input (g 9 y 9 m, s) to the 
transformation protocol is such that log g y = log m s. In other words, the verifier of the signature 
protocol in which the generated keys are used will reject the signature with an overwhelming 
probability if the input parameters to the transformation protocol do not have the pairwise discrete 
log relation. 

10 A distributed version of the above-described exponentiation verification protocol will now 

be described. In the distributed version, the prover is distributed across multiple machines, e.g., 
across the set of terminals 18-z of system 10. In other embodiments, the prover 12 could be one of 
W the terminals comprising a portion of a distributed prover. The distributed version is illustrated 

s I,, 

m using the above-noted Schnorr-based signature technique for proof of equality of discrete logarithms, 

[f 15 although other embodiments of the invention are similarly straightforward to implement with a 

ttl distributed prover. For simplicity of notation, x Qi denotes server f s Lagrange-weighted share (when 

p l applicable) of the secret key x 9 given an active quorum Q. For the part of the proof that uses the 

i* I blinding factor a as a secret and distributed key, a t plays the role of x Ql . The same uniform notation 

O as previously introduced is used in the following illustrative distributed version, i.e., the prover 

|f&0 wishes to prove that log g y = log m s for an input quadruple (g, y, m 9 s) 9 where x = log g y. 

1. Server i computes e ; — hash (g 9 y 9 m 9 s 9 j) 9 for j e {1, 2}. Server i then 

computes G = g e 'y ei , Y = y ex s 62 . 

2. Server/ selects e u Z, and computes^. = G k ' . Server i commits to this, and decommits 

first after all the other servers have committed. All commitments are verified, and r = U teQ r t is 
25 computed. Finally, server i computes t=k r c x i9 for c - hash(r) . The value t t is published, and each 
server computes t = Y, ieQ t { mod q. 

3. The servers verify that T G t = r 9 after which the pair (r, i) is output. 

11 
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If a cheating prover is detected at any time, then the protocol is stopped, the corresponding 
server is replaced, and the computation is restarted from the beginning. 

It should be understood that the above-described embodiments of the invention are 
illustrative only. For example, the invention can be applied to any type of digital signature protocol 
and to numerous other cryptographic applications involving exponentiation. These and numerous 
other alternative embodiments within the scope of the following claims will be apparent to those 
skilled in the art. 
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Claims 

What is claimed is: 

1 . A method of implementing a cryptographic protocol between multiple parties including 
at least a prover and a verifier, the method comprising the steps of: 

generating at least one signal corresponding to information representative of first and 
second proofs based on an operation associated with the cryptographic protocol, wherein the first 
proof is a proof that the operation has been correctly performed, and the second proof is a proof that 
the first proof has been correctly performed; and 

transmitting the proof information signal from the prover to the verifier, such that the 
verifier can determine if the operation associated with the cryptographic protocol is valid based at 
least in part on the proof information signal. 

2. The method of claim 1 wherein the operation associated with the cryptographic protocol 
is an exponentiation operation, and the proof information signal is based on a randomized instance 
of the exponentiation operation. 

3. The method of claim 1 wherein the first proof is a blinded proof configured so as to 
prevent leaks of information relating to the cryptographic protocol. 

4. The method of claim 1 further including the step of generating an indication that the 
operation was correctly performed if the first and second proofs are acceptable to the verifier. 

5. The method of claim 1 further including the step of generating an indication that the 
operation was not correctly performed if the first proof is not acceptable to the verifier but the second 
proof is acceptable to the verifier. 

6. The method of claim 1 wherein further including the step of generating an indication that 
the prover is cheating if the second proof is not acceptable to the verifier. 
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7. The method of claim 1 wherein the prover is given a quadruple (g 9 y 9 m, s), and needs to 
prove to the verifier that log g y = log m s 9 the prover knows x 9 the discrete logarithm of y with respect 
to g 9 and the method further includes the steps of: 

the prover randomly selecting a number a; 

the prover generating a first signal corresponding to information representative of the 
first proof as a triple (J, a 9 m) = (s a , m 0 * 9 m a )\ 

the verifier accepting the first proof if and only if s = a ; 

the prover generating a second signal corresponding to information representative of 

the second proof as an indication that log^ m = log^ s and that log g y = log^ a; 

the verifier accepting the second proof if and only if both equations are valid; and 
the verifier outputting at least one of: (i) an indication of valid exponentiation if both 
the first and second proofs are accepted; (ii) an indication that the exponentiation is invalid if the first 
proof is rejected and the second proof is accepted; and (hi) an indication that the prover is cheating 
if the second proof is rejected. 

8. The method of claim 1 further including the steps of: 

applying a key transformation protocol which takes an input of the form (g 9 y 9 m 9 s) 9 
for which log g y = log m s 9 and produces a pair (G, Y) wherein G is a generator and Fis a public key, 
such thatX= log G 7 can only be computed if log g y = log m s; 

generating a signal corresponding to information representative of the second proof 
as a digital signature generated using the pair (G, Y) ; and 

accepting the second proof if and only if the corresponding digital signature is valid. 

9. The method of claim 8 wherein the key transformation protocol takes an input of the form 
(g 9 y 9 m 9 s 9 x) for which log g y - log m s = x and generates the triple (G, Y 9 X) wherein X is a secret 
key, such that 7= G x 9 and the digital signature is generated using the triple (G, Y 9 X), 



14 



M. Jakobsson 15 

10. The method of claim 1 wherein the prover is a distributed prover distributed over 
multiple machines. 

11. An apparatus for implementing a cryptographic protocol between multiple parties 
5 including at least a prover and a verifier, the apparatus comprising: 

a processor associated with the prover and operative to generate at least one signal 
corresponding to information representative of first and second proofs based on an operation 
associated with the cryptographic protocol, wherein the first proof is a proof that the operation has 
been correctly performed, and the second proof is a proof that the first proof has been correctly 

10 performed, wherein the proof information signal is transmitted from the prover to the verifier and 
used to determine if the operation associated with the cryptographic protocol is valid; and 

\ a memory coupled to the processor for at least temporarily storing at least a portion 

I of the proof information signal. 

15 12. The apparatus of claim 11 wherein the operation associated with the cryptographic 

| protocol is an exponentiation operation, and the proof information signal is based on a randomized 
* instance of the exponentiation operation. 

I 13. The apparatus of claim 1 1 wherein the first proof is a blinded proof configured so as to 

^0 prevent leaks of information relating to the cryptographic protocol. 

14. The apparatus of claim 1 1 wherein the verifier is operative to generate an indication that 
the operation was correctly performed if the first and second proofs are acceptable to the verifier. 

25 15. The apparatus of claim 1 1 wherein the verifier is operative to generate an indication that 

the operation was not correctly performed if the first proof is not acceptable to the verifier but the 
second proof is acceptable to the verifier. 
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1 6. The apparatus of claim 1 1 wherein the verifier is operative to generate an indication that 
the prover is cheating if the second proof is not acceptable to the verifier. 

1 7. The apparatus of claim 1 1 wherein the prover is given a quadruple (g 9 y, m 9 s) 9 and needs 
5 to prove to the verifier that log g y = log m s 9 the prover knows x, the discrete logarithm of y with 

respect to g 9 and the method further includes the steps of: 
the prover randomly selecting a number a; 

the prover generating a first signal corresponding to information representative of the 
first proof as a triple (s,a,m) = (s a .m^ ;m a ) ; 
1 0 the verifier accepting the first proof if and only if s = a ; 

? the prover generating a second signal corresponding to information representative of 

[ the second proof as an indication that log^ m = logy s and that log g y = log^ a ; 
I the verifier accepting the second proof if and only if both equations are valid; and 

1 the verifier outputting at least one of (i) an indication of valid exponentiation if both 

1 5 the first and second proofs are accepted; (ii) an indication that the exponentiation is invalid if the first 

1 proof is rej ected and the second proof is accepted; and (iii) an indication that the prover is cheating 

f if the first proof is accepted and the second proof is rej ected. 

* 18. The apparatus of claim 1 1 wherein the processor is further operative: 

20 to apply a key transformation protocol which takes an input of the form (g ? y, m, s) 9 

for which log g y = log m s, and produces a pair (G, Y) wherein G is a generator and 7 is a public key, 

such that X= log G Yean only be computed if log g y = log m s\ and 

to generate a signal corresponding to information representative of the second proof 

as a digital signature generated using the pair (G, Y)\ such that the verifier accepts the second proof 
25 if and only if the corresponding digital signature is valid. 
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19. The apparatus of claim 1 8 wherein the key transformation protocol takes an input of the 
form (g 9 y, m 9 s 9 x) for which log g y = log m s = x and generates the triple (G, Y, X) wherein Xis a 
secret key, such that Y= G x 9 and the digital signature is generated using the triple (G, Y 9 X). 

5 20. The apparatus of claim 1 1 wherein the prover is a distributed prover distributed over 

multiple machines, and wherein one of the machines includes the processor. 

21 . The apparatus of claim 1 1 wherein the prover is a distributed prover distributed over 
multiple machines, and wherein the processor comprises a distributed processor including at least 
10 a portion of a processor associated with each of at least a subset of the multiple machines. 

O 22. A computer-readable medium containing one or more programs, wherein the one or 

W more programs when executed in a computer provide the steps of: 

j || generating at least one signal corresponding to information representative of first and 

21 5 second proofs based on an operation associated with the cryptographic protocol, wherein the first 

m proof is a proof that the operation has been correctly performed, and the second proof is a proof that 

1*5 the first proof has been correctly performed; and 

III transmitting the proof information signal from the prover to the verifier, such that the 

p verifier can determine if the operation associated with the cryptographic protocol is valid based at 

tf20 least in part on the proof information signal. 

23 . A method for implementing a cryptographic protocol between multiple parties including 
at least a prover and a verifier, the method comprising the steps of: 

applying a key transformation protocol which takes an input of the form (g, y 9 m 9 s) 9 
25 for which log g y = log m s 9 and produces a pair (G, Y) wherein G is a generator and 7 is a public key, 
such that X= log G Fcan only be computed if log g y = log m s; and 
generating a digital signature using the pair (G, Y). 
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24. An apparatus for implementing a cryptographic protocol between multiple parties 
including at least a prover and a verifier, the apparatus comprising: 

aprocessor associated with the prover and operative: (i) to apply akey transformation 
protocol which takes an input of the form (g 9 y 9 m 9 s\ for which log g y = log m s, so as to produce 
a pair (G, Y) wherein G is a generator and 7 is a public key, such that X — log q Y can only be 
computed if log g y = log „ s; and (ii) to generate a digital signature using the pair (G, Y). 

25. A method of implementing a cryptographic protocol between multiple parties including 
at least a prover and a verifier, the method comprising the steps of: 

receiving at least one signal corresponding to information representative of first and 
second proofs based on an operation associated with the cryptographic protocol, wherein the first 
proof is a proof that the operation has been correctly performed, and the second proof is a proof that 
the first proof has been correctly performed; and 

determining if the operation associated with the cryptographic protocol is validbased 
at least in part on the proof information signal. 

26. An apparatus for implementing a cryptographic protocol between multiple parties 
including at least a prover and a verifier, the apparatus comprising: 

aprocessor associated with the verifier and operative: (i) to receive at least one signal 
corresponding to information from the prover representative of first and second proofs based on an 
operation associated with the cryptographic protocol, wherein the first proof is a proof that the 
operation has been correctly performed, and the second proof is a proof that the first proof has been 
correctly performed, and (ii) to determine if the operation associated with the cryptographic protocol 
is valid based at least in part on the proof information signal; and 

a memory coupled to the processor for at least temporarily storing at least a portion 
of the proof information signal. 

27. A computer-readable medium containing one or more programs, wherein the one or 
more programs when executed in a computer provide the steps of: 

18 



M. Jakobsson 15 

receiving at least one signal corresponding to information representative of first and 
second proofs based on an operation associated with the cryptographic protocol, wherein the first 
proof is a proof that the operation has been correctly performed, and the second proof is a proof that 
the first proof has been correctly performed; and 

determining if the operation associated with the cryptographic protocol is valid based 
at least in part on the proof information signal 
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Abstract 

The correctness of an exponentiation operation or other type of operation associated with 
a multi-party cryptographic protocol is verified using first and second proofs based on a randomized 
instance of the operation. A prover generates signals corresponding to information representative 
5 of the first and second proofs based on the randomized instance. The first proof is a so-called 
"blinded" proof that the operation has been correctly performed, configured so as to prevent leaks 
of information relating to the cryptographic protocol. The second proof is a proof that the first proof 
has been correctly performed by the prover. The proof information signals are transmitted from the 
prover to a verifier, and the verifier uses the signals to determine if the operation associated with the 
10 cryptographic protocol is valid. For example, the verifier in an illustrative embodiment generates 
an indication that the operation was correctly performed if the first and second proofs are acceptable 
to the verifier, generates an indication that the operation was not correctly performed if the first proof 
W is not acceptable but the second proof is acceptable, and generates an indication of a cheating prover 
111 if the second proof is not acceptable. The verification protocol can be used in applications in which 
Hl5 the prover is distributed across a number of different machines. 

L 1200-288.APP 
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IN THE UNITED STATES 
PATENT AND TRADEMARK OFFICE 

Declaration and Power of Attorney 

As the below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name. 

I believe I am the original, first and sole inventor of the subject matter which is claimed 
and for which a patent is sought on the invention entitled VERIFICATION OF CORRECT 
EXPONENTIATION OR OTHER OPERATIONS IN CRYPTOGRAPHIC 
APPLICATIONS the specification of which is attached hereto. 

I hereby state that I have reviewed and understand the contents of the above identified 
specification, including the claims, as amended by an amendment, if any, specifically referred to 
in this oath or declaration. 

I acknowledge the duty to disclose all information known to me which is material to 
patentability as defined in Title 37, Code of Federal Regulations, L56. 

I hereby claim foreign priority benefits under Title 35, United States Code, 1 19 of any 
foreign application(s) for patent or inventor's certificate listed below and have also identified 
below any foreign application for patent or inventor's certificate having a filing date before that 
of the application on which priority is claimed: 

None 

I hereby claim the benefit under Title 35, United States Code, 120 of any United States 
application(s) listed below and, insofar as the subject matter of each of the claims of this 
application is not disclosed in the prior United States application in the manner provided by the 
first paragraph of Title 35, United States Code, 112, I acknowledge the duty to disclose all 
information known to me to be material to patentability as defined in Title 37, Code of Federal 
Regulations, 1.56 which became available between the filing date of the prior application and the 
national or PCT international filing date of this application: 

None 

I hereby declare that all statements made herein of my own knowledge are true and that 
all statements made on information and belief are believed to be true; and further that these 
statements were made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States 
Code and that such willful false statements may jeopardize the validity of the application or any 
patent issued thereon. 
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I hereby appoint the following attorneys with full power of substitution and revocation, 
to prosecute said application, to make alterations and amendments therein, to receive the patent, 
and to transact all business in the Patent and Trademark Office connected therewith: 



Lester H. Birnbaum 
Richard J. Botos 
Jeffery J. Brosemer 
Kenneth M. Brown 
Craig J. Cox 
Donald P. Dinella 
Guy Eriksen 
Martin I. Finston 
James H. Fox 
William S. Francos 
Barry H. Freedman 
Julio A. Garceran 
Mony R. Ghose 
Jimmy Goo 
Anthony Grillo 
Stephen M. Gurey 
John M. Harman 
Michael B. Johannesen 
Mark A. Kurisko 
Irena Lager 

Christopher N. Malvone 
Scott W. McLellan 
Martin G. Meder 
John C. Moran 
Michael A. Morra 
Gregory J. Murgia 
Claude R. Narcisse 
Joseph J. Opalach 
Neil R. Ormos 
Eugen E. Pacher 
Jack R. Penrod 
Daniel J. Piotrowski 
Gregory C. Ranieri 
Scott J. Rittman 
Eugene J. Rosenthal 
Bruce S. Schneider 
Ronald D. Slusky 
David L. Smith 
Patricia A. Verlangieri 



(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 



25830) 
32016) 
36096) 
37590) 
39643) 
39961) 
41736) 
31613) 
29379) 
38456) 
26166) 
37138) 
38159) 
36528) 
36535) 
27336) 
38173) 
35557) 
38944) 
39260) 
34866) 
30776) 
34674) 
30782) 
28975) 
41209) 
38979) 
36229) 
35309) 
29964) 
31864) 
42079) 
29695) 
39010) 
36658) 
27949) 
26585) 
30592) 
42201) 
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John P. Veschi 
David Volejnicek 
Charles L. Warren 
Jeffrey M. Weinick 
Eli Weiss 



(Reg. No. 39058) 
(Reg. No. 29355) 
(Reg. No. 27407) 
(Reg. No. 36304) 
(Reg. No. 17765) 



I hereby appoint the attorney(s) on ATTACHMENT A as associate attorney(s) in the 
aforementioned application, with full power solely to prosecute said application, to make 
alterations and amendments therein, to receive the patent, and to transact all business in the Patent 
and Trademark Office connected with the prosecution of said application. No other powers are 
granted to such associate attorney(s) and such associate attorney(s) are specifically denied any 
power of substitution or revocation. 



Full name of sole inventor: ^Bjorn Markus Jakobsson 




Inventor's signature^^ Dat e frv»^ V\ (c jj^ 

Residence: Hoboken, Hudson County, New Jersey 
Citizenship: Sweden 



Post Office Address: 161 Newark Street, #4A 

Hoboken, New Jersey 07030 
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Attorney Name(s): Joseph B. Ryan Reg. No. 37922 
Kevin M. Mason Reg. No. 36597 
William E. Lewis Reg. No. 39274 



Telephone calls should be made to Joseph B. Ryan of Ryan & Mason, L.L.P. at: 

Phone No.: (516) 759-7517 
Fax No.: (516) 759-9512 

All written communications are to be addressed to: 

Ryan & Mason, L.L.P. 

90 Forest Avenue 

Locust Valley, New York 1 1 560 



